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Reconstructing the Scene of the Crime 

METASPLOIT AUTOPSY 



Who are thev? 



DAVIS 



Security Consultant / 

Researcher 

at MAN D I ANT 






MAN 



■j Engineer / Researcher 
at MANDIANT 



Agenda 

■ Vi Demo 

Pop it like its hotttt 

-■ Problem / Solution 

-■ Process Acquisition 

■ Metasploit 

■ Meterpreter Communication 

-■ Metasploit Forensic Framework (MSFF) 




Reconstructing it like its hotttt 



Problem 



Meterpreter 

Traditional disk forensics is helpless 
-« Attack vector may never touch disk 
No way to determine what happened 

Goal 

Reconstruct attacker's Meterpreter sessions 
with as much reliability as possible 



1 



MANDIANT Memor 



ENUMERATION 

■ All running processes 

Handle table 
Memory sections 
Ports 
Strings 

-« Drivers 

Including layered ones 

■ Certain kernel hooks 




ACQUISITION 

-< Physical memory image 

-> Running process's 
memory space 

Binary 

Loaded DLL's 

Stacks 

Heaps 

Data sections 



-< Drivers 



MANDIANT Memoryze 

-■ Can analyze memory live, or from image 

Live analysis can use paging file for a more 
complete picture of memory 

■ Supported platforms 

32-bit Windows 2000, XP, 2003 Server 
Beta support for Vista 

■ Download at 

ism 



Why Process Acquisition? 

■ Acquisition was originally used mostly for 
malware analysis 

Acquire packed binaries running in memory 
-■ Usually utilized debuggers 
-« Can defeat most packers 

■ Acquisition has other uses: 

Acquire unknown binaries for Virustotal 
Acquire memory to look for protocol strings 
-< Encrypted strings are unecrypted in memory 



I Ra 



Classic Process Acquisition 

-« Current Methodology 

Open handle to process, OR 
Attach to process 

■ ReadProcessMemory(hProc J ImageBase^ 
buffer, ImageSize, BytesRead) 

■ Current drawbacks 

Requires "touching" a process 
Detecting debuggers is trivial 



Process Acquisition: Memoryze 



RELIES ON 

■ Physical memory access 

■ Virtual to physical 
address translation 



DOES NOT RELY ON 

-< Attaching to a process 
with a debugger 

■ Opening handles to 
processes or threads 

- API calls 

- The OS's Virtual Memory 
Manager 



Memoryze: Process Acquisition 

-« Accessing Physical Memory 

Live analysis 
Acquisition 
-> \Device\PhysicalMemory 

Section object exposed by Windows 

Reading from handle allows application to 
read physical memory 

Every virtual address must be translated to a 
nhvsical offset within the section obiect 
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Memoryze: Process Acquisition 

■ Map physical memory into buffer 
-■ Acquisition: 

Write buffer to disk (dd) 

■ Analysis: 

Scan buffer for known signatures of kernel 
structures, e.g. EPROCESS 



New Process Acquisition 



Find all processes (EPROCESS) in physical 
memory 

VadRoot within the EPROCESS structure 

The VadRoot is the top node of a tree of Memory 
Manager Virtual Address Descriptor (MMVAD) 
entries 

MMVAD entries contain the virtual start address 
and size of each memory section within a process 

MMVAD entries containing mapped DLL's or 
EXE's will have a pointer to the path of the binary 

■j Helps manage process' virtual address space 
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I Memoryze: Process Acquisition 



OllyDbg's memory map view shows the 
different sections 



Address SLze Owner 


Section Contains 


Type Access In Lt La L 


00010000 00001000 


PrLv RW RW 


00020000 00001000 








PrLu 


RW 


RW 


00030000 00001000 








PrLu 


RW 


RW 


0007B000 00001000 








PrLu RW Gua: 


RW 


0007C000 00004000 






stack of na 


PrLu RW Gua: 


RW 


00080000 00003000 








Map R 


R 


00090000 00002000 








Map 


R 


R 


00000000 00010000 








PrLu 


RW 


RW 


001R0000 00006000 








PrLu 


RW 


RW 


001B0000 00003000 




Map RW | RW 



J 




Each address range is an entry in 
VadRoot, represented by a MMVAD 



structure 

Enumeration of VadRoot allows access to 

' s, and binary im 
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Finding Processes 



Kernel Address Space 




0x8aadb830 



0x8aadb834 



0x8aadb838 



0x8aadb83C 




■> 0x00000000 
0x8aadb838 
0x8aadb838 
0x8aadb840 
0x8aadb840 



> OxOblOOf 



0x0000b084 
' 0x00000000 
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Indicates EPROCESS, 
DISPATCHJHEADER, 
further checks are 
needed 



976 JfeScWINDO W5%5csystem32%5cws2_32 . dll 
$\ 976_%5c WINDO W5%5csy stem32%5cws2help . dll 
J|) 976 J%5c WINDO W5%5csystem32%5cwshtcpip . dll 
§) 976_%5c WINDO W5%5csy stem32%5cwsock32 . dll 
^ 976_%5c WINDO W5%5csystem32%5cwtsapi32 . dll 
3] 976 JfeScWINDO W5%5csy stem32%5cwuaueng . dll 
B 976 J&BcWINDO W5%5csy stem32%5cwuauser v . dll 
(5) 976_%5c WINDO W5%5csystem32%5cwups2 . dll 
® 976_%5c WINDO W5%5csystem32%5cwups . dll 
/*] 976_%5c WINDO WS%5csystem32%5cwzcsvc . dll 
jV) 976_%5c WINDO W5%5csystem32%5cxactsrv . dll 

jV] 976_%5c WINDO W5%5cWin5x5%5cx36_Microsoft . Windows . Common-Controls_6595b64 1 44ccF 1 df _6 , , 1 , 0_x-w w_f 7f b5805%5ccomctl32 . dll 
^jBatchResult.xml 

*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00a00000-0x00a3Ffff . V AD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00a40000-0x00a7ffff . V AD 
*) C%3a%5cWINDOW5%5c5ystem32%5c976_0x00a80000-0x00a8 1 FFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00a90000-0x00a95fFf . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00aa0000-0x00aaFfff . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00ab0000-0x00ab0fFf . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00ac0000-0x00ac 1 f f f . VAD 
*) C%3a%5c WINDO WS%5c5ystem32%5c976_0x00ad0000-0x00b0Ffff . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00b 1 0000-OxOOb 1 FFFF . VAD 
^C%3a%5c WINDO W5%5c5ystem32%5c976_0x00b20000-0x00b21ffl\ VAD 
*) C%3a%5c WINDO WS%5c5ystem32%5c976_0x00b30000-0x00c2ffff . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00c30000-0x00caFFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00cb0000-0x00ceFFFF . VAD 
*) C%3a%5c WINDO WS%5cSystem32%5c976_0x00cf0000-0x00d2FFFF . VAD 
*) C%3a%5c WINDO WS%5cSystem32%5c976_0x00d30000-0x00d3FFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00d40000-0x00d4 1 FFF . VAD 
*) C%3a%5cWINDOW5%5c5ystem32%5c976_0x00d50000-0x00e4FFFF . VAD 
*) C%3a%5c WINDO W5%5c5y Stem32%5c976_0x00e50000-0x00e8f FFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00e90000-0x00ecFFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00ed0000-0x00F0FFFF . VAD 
*] C%3a%5c WINDO WS%5c5ystem32%5c976_0x00f 1 0000-0x00F4FFFF . VAD 
*) C%3a%5c WINDO WS%5cSystem32%5c976_0x00F50000-0x00F8FFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00F90000-0x00FcFFFF . VAD 
^|C%3a%5c WINDO W5%5c5ystem32%5c976_0x00Fd0000-0x00Fe7FFF. VAD 
*) C%3a%5c WINDO WS%5cSystem32%5c976_0x00FF0000-0x00FF0FFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x00 1 aOOOO-OxOO 1 bSFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 a 1 0000-0x0 1 a4FFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 a50000-0x0 1 aBFFFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 a60000-0x0 1 a6f FFF . VAD 
*) C%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 a70000-0x0 1 a7FFFF . VAD 



I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 a80| 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 a9ol 

:%3a%5cWINDOW5%5c5ystem32%5c976_Ox01aaol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 acol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 adol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 aeol 

I%3a%5c WINDO WS%5cSystem32%5c976_0x0 1 aFof 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 b00| 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 lbiol 

I%3a%5c WINDO W5%5c5y stem32%5c976_0x0 1 b2ol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 b3ol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 bbol 

I%3a%5cWINDOW5%5c5ystem32%5c976_Ox01cdol 

:%3a%5cWINDOWS%5cSystem32%5c976_0x01cF0(l 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 d00| 

I%3a%5cWINDOW5%5c5ystem32%5c976_0x0 1 d4ol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 e4ol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 e8ol 

I%3a%5c WINDO W5%5c5ystem32%5c976_0x0 1 ecol 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x03cF0([ 

:%3a%5cWINDOWS%5cSystem32%5c976_0x03dF0(j 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x03F50(l 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x004d0| 

I%3a%5cWINDOWS%5cSystem32%5c976_Ox004eol 

I%3a%5cWINDOW5%5c5ystem32%5c976_Ox005aol 

I%3a%5cWINDOW5%5c5ystem32%5c976_Ox005eol 

:%3a%5cWINDOW5%5c5ystem32%5c976_Ox006bo| 

:%3a%5cWINDOWS%5cSystem32%5c976_0x006F0(f 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x7F6F0t| 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF7bd 

:%3a%5cWINDOWS%5cSystem32%5c976_0x7FF7ctJ 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF7dq 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF7etj 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF7F0| 

:%3a%5cWINDOW5%5c5ystem32%5c976_0x7ff8acf 

I%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF8cd 

:%3a%5cWINDOW5%5cSystem32%5c976_0x7FF8dq 

:%3a%5cWINDOWS%5c5ystem32%5c976_0x7FF8ed 

I%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF9ad 

I%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF9bd 

I%3a%5cWINDOWS%5cSystem32%5c976_0x7FF9cq 

I%3a%5cWINDOWS%5cSystem32%5c976_0x7FF9dd 

I%3a%5cWINDOW5%5c5ystem32%5c976_0x7FF9eq 
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I New Process Acquisition 

-■ Allows dumping of full address space 
-■ Overcomes most binary packing 

■ Captures communication protocol strings 

■ Bypasses any anti-debugging techniques 
-■ Acquire(s): 

DLL's that are only in memory 

Code corresponding to injected threads or 
shellcode 
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Metasploit 

■ Open source exploit framework originally 
developed in Perl (1 .x, 2.x) by HD Moore 
et al. 

Currently Ruby (3.x) 

■ Platform independent 

■ Multiple payloads 



Meterpreter 

■ The next generation of post-exploitation 
payloads 

Forget /bin/sh and cmd.exe 
-■ Limited to stdin,stderr,stdout 



Non-interactive 



server interpreter 



Full functioning client server interf 

File upload / download 

Key logging 

Simple extension addition 

Can be completely memory resident 
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Under the Meterpreter Hood 
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DLL gets injected into exploited process 
Hooks LoadLibrary (on Windows) 

Applies hook to Win32 API LoadLibrary 

Changes lower level API's behavior to allow 
LoadLibrary to load a DLL from memory 

Hooked API's to allow loading of 
metsrv.dll from memory 

NtOpenSection^ NtCreateSection 
NtQueryAttributesFile 
NtOpenFile, NtMapViewOf Section 




Meterpreter Communication 

- TLV (really LTV) Structures 

Provide communication protocol for 
meterpreter server and client 

32 bit Length and Type Fields 

n bits Value Field 





1 Response Packet Structure 






Response Packet 








Length 


sizeof (Response Packet) 






Type 


PACKET_TLV_TYPE_PLAIN_RESPONSE 




Value 


Length 


sizeof(this tlv) 1 




Type 


TLV_TYPE_METHOD 




Value 


stdapi_sys_process_getpid 




Length 


sizeof(this tlv) 




Type 


TLV_TYPE_REQUEST_ID 




Value 


3164813846792899128916537536399 


■ 


Length 


sizeof(this tlv) 1 


Type 


TLV_TYPE_PID 




Value 


8X000003EC 




Length 


sizeof(this tlv) 




^|Type 


TLV_TYPE_RESULT 




Value 


0X00000000 




IA' 


^^^^^^^^^^^^^^M 





Response Packet from Memory 



03 74 04 06 loo 01 00 01 ' ) ; ~ 3 



79 73 5F 70 72 6F 63 65 73 73 5F 67 65 74 70 69 



64 00 00 00 00 29 00 01 00 02 33 31 36 34 38 31 

33 33 34 36 37 30 32 33 39 39 31 32 33 39 31 36 

35 33 37 35 33 36 33 39 39 34 00 00 00 00 0C 00 

02 08 FC 00 00 03 EC 00 00 00 0C 00 02 00 04 00 

00 00 00 01 43 05 93 01 0B 00 0E 00 C7 01 OE 00 



ys process getpi 
fej...) . ...3164U1 
3346702399128916 
5375363994 

. .u. . .1 

H" r 
■ i i i i i y i i i 



TLV Packet 



Length Doesn't exist do to freeQ 

Type: TLV_TYPE_METHOD 0X00010001 

Value: stdapi_sys_process_getpid 
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Response Packet from Memory 



03 74 04 06 00 01 00 01 73 74 64 61 70 69 5F 73 
79 73 5F 70 72 6F 63 65 73 73 5F 67 65 74 70 69 



64 00 00 00 00 29 00 01 00 02, 33 31 36 34 38 31 



33 33 34 36 37 30 32 33 39 39 31 32 33 39 31 36 



35 33 37 35 33 36 33 39 39 34 00 00 00 00 0C 00 
02 08 FC 00 00 03 EC 00 00 00 0C 00 02 00 04 00 
00 00 00 01 43 05 93 01 0B 00 0E 00 C7 01 0E 00 



.t stdapi_s 

ys process getpi 
d,. ..)... ,316431 
3346702399128916 
5375363994 

. .u. . .1 

H" r 
■ i i i i i y i i i 



TLV Packet 



Length 0x29 

Type: TLV_TYPE_REQUEST_ID 0X00010002 
Value: 3164813846702899128916537536399 
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Response Packet from Memory 



03 74 04 06 00 01 00 01 73 74 64 61 70 69 5F 73 

79 73 5F 70 72 6F 63 65 73 73 5F 67 65 74 70 69 

64 00 00 00 00 29 00 01 00 02 33 31 36 34 38 31 

33 33 34 36 37 30 32 33 39 39 31 32 33 39 31 36 



35 33 37 35 33 36 3 3 39 39 34 00 |00 00 00 PC 00 
02 08 fc . oo qoZeSoo 00 00 0C 00 02 00 0453; 
00 00 00 01 43 05 93 01 0B 00 0E 00 C7 01 0E 00 



.t stdapi_s 

ys_process_getpi 
d J 316481 

3346702399128916 
5375363994 

. .u. . .1 

H" r 
■ i i i i i y i i i 



TLV Packet 



Length 0x0C 

Type: TLV_TYPE_PID 

Value: 0X000003EC 



0X000208FC 
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Response Packet from Memory 



03 74 04 06 00 01 00 01 73 74 64 61 70 69 5F 73 

79 73 5F 70 72 6F 63 65 73 73 5F 67 65 74 70 69 

64 00 00 00 00 29 00 01 00 02 33 31 36 34 38 31 

33 33 34 36 37 30 32 33 39 39 31 32 33 39 31 36 

35 33 37 35 33 36 33 39 39 34 00 00 00 00 PC 00 

02 08 FC 00 00 03 Ec loO 00 00 P C . 00 02 00 04. 00 

lOO 00 00 01 43 05 93 01 0B 00 0E 00 C7 01 OE 00 



.t stdapi_s 

ys_process_getpi 
d J 316481 

3346702399128916 
5375363994 

. .u. . .1 

H" r 
■ i i i i i y i i i 



TLV Packet 



Length 0x0C 

Type: TLV_TYPE_RESULT 

Value: 0x00000000 



0X00020004 
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I Meterpreter Communication 

-■ The response packet is freed by 
meterpreter 

-< However... 

-■ When Windows' memory manager frees 
memory, it is not immediately reused. 

It can take hours for memory to be reclaimed 
after it has been freed. 



Metasploit Forensic Framework 

■ Scan acquired VADs looking for: 

Strings containing meterpreter methods 

■ This indicates a TLV response to a specific 
method 

■ Parsing out the response TLV gives analysts the 
data attackers received 

■j Also indicates what commands were executed on 
the machine 



Conclusion 



Windows memory manager gives analysts 
a chance to see artifact memory 

Large impact for forensics 

Not so large on Metasploit project 

Combining memory analysis with further 
research will lead to better and more 
effective projects 



